Lambda update role permission

Lambda update role permission is an AWS fault that:

Modifies the role policies associated with a Lambda function.
Verifies the handling mechanism for function failures.
Can also be used to update the role attached to a Lambda function.
Checks the performance of the running lambda application in case it does not have enough permissions.

Fault execution flow chart

Lambda Update Role Permission

Usage

View fault usage

Lambda functions sometimes depend on services such as RDS, DynamoDB, S3, etc. In such cases, certain permissions are required to access these services. This chaos fault helps understand how your application would behave when a Lambda function does not have enough permissions to access the services.

Prerequisites

info

Kubernetes >= 1.17
Kubernetes secret that has AWS access configuration (key) in the CHAOS_NAMESPACE. Below is a sample secret file:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-secret
type: Opaque
stringData:
  cloud_config.yml: |-
    # Add the cloud AWS credentials respectively
    [default]
    aws_access_key_id = XXXXXXXXXXXXXXXXXXX
    aws_secret_access_key = XXXXXXXXXXXXXXX

If you change the secret key name (from cloud_config.yml), ensure that you update the AWS_SHARED_CREDENTIALS_FILE environment variable on experiment.yaml with the same name.

Permissions required

Here is an example AWS policy to execute the Lambda update role permission fault.

View policy for this fault if `ROLE_ARN` environment variable is set.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "lambda:GetFunction",
                "lambda:UpdateFunctionConfiguration",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

View policy for this fault if `POLICY_ARN` environment variable is set.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "lambda:GetFunction",
                "iam:ListAttachedRolePolicies",
                "iam:AttachRolePolicy",
                "iam:GetRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

Refer to the superset permission (or policy) to execute all AWS faults.

Default validation

info

The Lambda function should be up and running.

Experiment tunables

Fault tunables

Mandatory Fields

Variables	Description	Notes
FUNCTION_NAME	Name of the target Lambda function. It supports a single function name.	For example, `test-function`.
POLICY_ARN	Provide the policy arn that you want to detach from the role attached
ROLE_ARN	Provide the role arn that you want to update in the lambda function	ROLE_ARN and POLICY_ARN are mutually exclusive. If both are provided, ROLE_ARN is prioritized
REGION	The region name of the target lambda function	For example, `us-east-2`

Optional Fields

Variables	Description	Notes
TOTAL_CHAOS_DURATION	The total time duration for chaos insertion in seconds	Defaults to 30s.
CHAOS_INTERVAL	The interval (in seconds) between successive policy/role detach/update.	Defaults to 30s
SEQUENCE	It defines sequence of chaos execution for multiple instance	Default value: parallel. Supported: serial, parallel
RAMP_TIME	Period to wait before and after injection of chaos in seconds	For example, 30s.

Fault examples

Common and AWS specific tunables

Refer to the common attributes and AWS specific tunables to tune the common tunables for all faults and aws specific tunables.

Role ARN

You can update the role attached to a Lambda function using the ROLE_ARN environment variable.

Use the following example to tune it:

# contains the role arn for the lambda function
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
  name: engine-nginx
spec:
  engineState: "active"
  chaosServiceAccount: litmus-admin
  experiments:
  - name: lambda-update-role-permission
    spec:
      components:
        env:
        # provide the role arn 
        - name: ROLE_ARN
          value: 'arn:aws:iam::ACCOUNT_ID:role/service-role/chaos-role'
        # provide the function name 
        - name: FUNCTION_NAME
          value: 'chaos-function' 

Policy ARN

You can detach the policies attached to the role of Lambda function using the POLICY_ARN environment variable. Setting the ROLE_ARN environment variable helps update the role attached to the Lambda function. Otherwise, the policy is detached using the POLICY_ARN environment variable.

Use the following example to tune it:

# contains the policy arn for the lambda function
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
  name: engine-nginx
spec:
  engineState: "active"
  chaosServiceAccount: litmus-admin
  experiments:
  - name: lambda-update-role-permission
    spec:
      components:
        env:
        # provide the policy arn 
        - name: POLICY_ARN
          value: 'arn:aws:iam::ACCOUNT_ID:policy/service-role/chaos-policy'
        # provide the function name 
        - name: FUNCTION_NAME
          value: 'chaos-function'

Usage​

Prerequisites​

Permissions required​

Default validation​

Experiment tunables​